What obligation does a publicly traded company have to disclose security breaches?  On October 13, 2011, the Securities and Exchange Commission took an important step towards answering this question when it issued a guidance that attempts to clarify a company’s obligations to disclose cybersecurity risks in registration statements and periodic reports required by the Securities Exchange Commission.

The “CF Disclosure Guidance: Topic No. 2” provides the SEC’s Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks.  Publicly traded companies are required to disclose timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision.  The guidance clarifies that this same obligation may apply to cybersecurity risks and incidents if the issues those risks/incidents raise “are among the most significant factors that make an investment in the company speculative or risky.”

In determining whether a risk factor disclosure is required, a company should consider the severity and frequency of prior cyber incidents, including the potential costs and other consequences resulting from misappropriation of sensitive information, corruption of data, or operational disruption.  The company should also consider “the adequacy of preventative actions taken to reduce cybersecurity risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.”

The guidance also provides instruction on what an appropriate disclosure should contain once a company has determined that a disclosure is necessary:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.

In my next post, we will look at the limitations of the Guidance.

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.